Presentation on theme: "Cryptography and its Assurance Steve Hallett CFS IA November 2010."— Presentation transcript:
Cryptography and its Assurance Steve Hallett CFS IA November 2010
2 Agenda Cryptography 101, not Why the need for Assurance? Why is Assurance Problematic for Cryptography? Types of Assurance –Cryptanalysis and Peer Review –Governance Framework –Architecture, Design and Implementation –Physical Security –Protocols and Procedures –3 rd Parties –Miscellaneous Questions
Cryptography 101, not Three may keep a Secret, if two of them are dead. Benjamin Franklin, Poor Richard's Almanack, 1735
4 Cryptography 101, not - 1 Cryptography (from Greek κρυπτός, kryptos, "hidden, secret"; and γράφ, gráph, "writing”) is the practice and study of hiding information. Source Wikipedia Historically, emphasis was on encryption, the conversion of information from a readable state to a nonsensical one (and back again via decryption); Latterly, techniques have been developed and extended to include authentication, integrity checking and non-repudiation; Keys are critical - ciphers without variable keys can be trivially broken with only the knowledge of the cipher used;
5 Cryptography 101, not - 2 substitution and transposition; algorithms; cryptographic primitives; plaintext; symmetric and asymmetric; different but mathematically related keys; public key; private key; block ciphers and stream ciphers.... Advanced modes of operation; The Data Encryption Standard (DES); Advanced Encryption Standard (AES); implement in software; RC4; hardware implementations; hash functions; short, fixed length hash (or digest); collision: one way function (unlike compression ); message authentication code (MAC); computationally infeasible, necessarily related.... freely distributed, must remain secret; bound to the issuer via digital certificates ; trust relationships; digital signature ; signing; verification; RSA and DSA.....
6 Cryptography 101, not - 3 Cryptology is a branch of applied mathematics, involving often esoteric concepts; It can appear monolithic, but there are many choices to be made for a given implementation – –Symmetric v Asymmetric; –Block v Stream; –Algorithm, key length; –Application v network; –Software v hardware; In practice most cryptosystems are hybrid and utilise more than one method;
7 Cryptography 101, not – Conclusion A helpful way to grasp the concept of cryptography is that it consists of tasks that are relatively trivial to complete one way (typically when in possession of the relevant algorithm and, more importantly, the correct key), but decidedly non-trivial to complete in any other way; This section has covered a lot of ground, in a superficial way; the thing to take away is that there are various flavours of cryptography, each with their own pros and cons under different scenarios; The first degree of assurance is to have an appreciation of cryptography (or employ someone you trust who has)
Why the Need for Assurance? Assurance is a jewel worth waiting for Thomas Brooks, Puritan;
9 Why the Need for Assurance? - 1 Difficult to mange risk in the absence of some degree of assurance; Payment Industry schemes (BACS, CHAPS, LINK) seek assurance from their members, and expect management to understand the controls they have; Regulators are more oblique in their expectations, but – “If you think safety is expensive, try having an accident” Stelios Haji-Ioanna (hasn’t set up Easy Crypto yet); (substitute “cryptography” for “safety” and “data loss incident” for “accident”)
Why is Assurance Problematic for Cryptography? The problem of distinguishing prime numbers from composite numbers and of resolving the latter into their prime factors is known to be one of the most important and useful in arithmetic. Carl Fredrich Gauss, Mathematician;
11 Why is Assurance Problematic for Cryptography? Cryptography is predicated upon and ******* ; In theory, one could examine an encrypted file or data stream and confirm that it was, indeed, unintelligible; In practice, this is likely to be impracticable and/or undesirable; More to the point, it doesn’t actually prove much; how difficult would it be for an attacker to render it intelligible? Does it meet the formal requirements of any external or internal standards that have to be complied with? Finally – “In the world of cryptography, we assume something is broken until we have evidence to the contrary." Bruce Schneier, February 2003
Cryptanalysis and Peer review Beware of snake oil Phil Zimmermann, the creator of PGP
13 Cryptanalysis and Peer review - 1 Kerckhoffs’ Principle– –It (cipher) must not be required to be secret, and it must be able to fall into the hands of the enemy without inconvenience; since restated as “The enemy knows the system”; The practical point arising from the principle is that the algorithm that drives any cryptographic method must be publicly available for (rigorous) peer review, up to and including attempts to break it; Examples of algorithms found wanting in this way include FEAL-4 (once mooted as a DES replacement), MD4 and SHA-0 A cipher is considered strong if, after analysis by cryptographers, there is no published, effective cryptanalytic attack against it; i.e., the only feasible attack is a brute force attack on key; A 128 bit key has discrete key values, but impact of super computers and Quantum Computing?
14 Cryptanalysis and Peer review - Conclusion The next degree of assurance is ensuring that algorithms, key lengths and the software and hardware that implement them have been subject to rigorous objective, assessment; This doesn’t have to be reading academic papers; commercial laboratories, standards bodies, industry schemes and government agencies test and/or certify cryptographic software and hardware; Suppliers often have links from their product pages to relevant approved lists or certifications;
Governance Framework Like all fads, corporate governance has its zealots Conrad Black
16 Governance Framework Self-explanatory? In practical terms there should be a cryptographic policy and standards framework covering, inter alia, such topics as – –Approved algorithms and key lengths; –Approved uses for specific algorithms; –The expected lifetime of algorithms and key lengths (map period of data confidentiality onto this, and be prepared to re-encrypt); –Individual key life times; –Standards for key generation and management; –Key escrow, archive and destruction; The next degree of assurance is a robust governance framework.
Architecture, Design and Implementation... the architect raises his structure in imagination before he erects it in reality Karl Marx, Das Kapital (1867)
18 Architecture, Design and Implementation Any cryptographic method, no matter how secure and robust conceptually, may be undone by a poor or badly thought through implementation; This ought to be readily reviewable (if it isn’t, positive assurance in this area may prove illusive) via documents and interviews with SMEs; Questions to consider include – –Is the design risk-based (e.g. encryption of sensitive data in transit across hostile or untrusted zones or when hosted on mobile devices)? –Are the zones (trusted/untrusted, host/scheme/supplier) clearly defined and understood; are there any gaps in encryption at the interface of zones? Are working/session keys protected in transit and in situ? –Is there demonstrably sufficient capacity/bandwidth? –Is there sufficient resilience and, ultimately, contingency? The next degree of assurance is a fit for purpose, suitably documented design and implementation.
Physical Security Were beauty under twenty locks kept fast Shakespeare, Venus and Adonis
20 Physical Security To date we have been mainly talking about logical security, but physical security is a baseline for cryptography, and ought to be readily available for inspection; Private and shared (symmetric) keys have to be kept secret and access to production cryptographic components should be strictly controlled, hence – –Are materials associated with key generation (smart cards and their PINs, forms, envelopes) secured under segregated control? –Are HSMs hosted in secure machine rooms, in dedicated cabinets? –Do key ceremonies take place in secure facilities (at the high end this includes Faraday cages and regular bug sweeps) with sufficient privacy for participants? (see also Protocols and Procedures) –Are keying materials securely destroyed once finished with? (see also Protocols and Procedures) The next degree of assurance is suitable physical security around cryptographic materials, components and processes.
Protocols and Procedures Anyone who considers protocol unimportant has never dealt with a cat. Robert A. Heinlein
22 Protocols and Procedure - 1 In practice, any method is only as secure as the protocols around its use; This is largely a question of managing a secure lifecycle for keys (as defined in the Governance Framework)– –Generation; –Implementation; –Retirement/Archive/Destruction; –Emergency replacement (typically for compromised keys); Should be feasible to attend a key ceremony as an observer and confirm such controls as – –Keying component segregation and secure storage; –Adherence to published procedures; –Secure delivery of generated key components; The next degree of assurance is the integrity of the protocols and processes that enable and support cryptographic operations.
3 rd Parties Well, you should of come to the first party. We didn't get home 'til around four in the morning. I was blind for three days! Otis B. Driftwood
24 3 rd Parties Theoretically, all the considerations outlined thus far also apply to 3 rd parties operating cryptographic services on one’s behalf; Practically, assurance may be harder to achieve, but the responsibility for data security remains vested in the data owner, not the processor; If a supplier proves difficult over assurance, have to question relationship; Assuming reasonable level of cooperation, consider the following actions – –Review the contract for security obligations and cryptographic SLAs; –Obtain any external reviews available, e.g. SAS70, QSA reviews (PCI); –Determining whether the supplier has a Certified Service Bureau status; –Site visits, with particular emphasis on cryptographic components; –Attending key ceremonies as an observer; The next degree of assurance is over 3 rd parties.
Miscellaneous If you think cryptography is the answer to your problem, then you don't know what your problem is. Peter G. Neumann, quoted in the New York Times, February
26 Miscellaneous There is some value to be had by sitting down with cryptographic system administrators to review system parameters and settings against policy and best practice; also patch levels; Digital certificates are informative, particularly for key sizes and algorithms (they should also have a valid date and be issued by a recognised authority); The final degree of assurance is having come at this from all angles. ~~~ Proving that Cryptologists are funnier than particle physicists – Mary had a little key (It's all she could export), and all the that she sent was opened at the Fort. Ron Rivest Mary had a little key - she kept it in escrow, and every thing that Mary said, the feds were sure to know. Sam Simpson
27 Questions Some questions to take away with you – Are there unknown zones in your network? Whom do you trust? How sure are you about their identity?